While synthetic identity fraud is a known issue, especially for banks and financial institutions, it is once again becoming more difficult to detect as cybercriminals develop more sophisticated fraud methods and share these tools. It has recently come to light that the company ProKYC is selling a deepfake tool in the cybercriminal underground that helps threat actors bypass more sophisticated multi-factor authentication methods.
This fraud tool is being used in the cryptocurrency space to successfully conduct account fraud attacks in cryptocurrency exchanges. The crypto space is a prime target for this burgeoning technology, as it is known for being less regulated, or completely unregulated, compared to traditional financial institutions. However, this technology will likely be seen by traditional banks and fintech firms soon, and those that have less sophisticated KYC protocols may fall victim. Even banks and financial institutions that are keeping up with legislation and regulations could still be vulnerable to cybercrime as it evolves more quickly than regulatory agencies can keep up with.
There are penalties for perpetrators of identity fraud – in the United States, the maximum penalty is up to 15 year imprisonment and heavy fines. However, this is often not a strong enough deterrent for synthetic identity fraud, which can be very difficult to trace back to the perpetrator. It is essential that decision-makers educate themselves on the newest fraud tactics and employ robust cybersecurity systems to detect and prevent synthetic identity fraud before it takes place.
What makes ProKYC’s technology different?
While past KYC processes used two-factor authentication (2FA), this system was quickly outsmarted by fraudsters. As institutions strengthened their KYC methods to prevent fraud, multi-factor authentication (MFA) became the standard. Initial MFA methods were also not foolproof, and as MFA evolved a new standard has emerged that seems to curb most fraud attempts – a process where users use their phone or webcam to submit images of the front and back of their ID, as well as a selfie.
As AI has empowered fraudsters to circumvent more traditional MFA methods, regulated industries have increasingly turned to these more rigorous KYC protocols. This process prevented fraudsters from being able to create accounts using synthetic identities – even if they had purchased or created an ID document that was believable enough to pass the initial verification, they were unable to then complete the facial matching step.
It is no surprise that criminals have been working to circumvent this KYC process – while researchers recently discovered ProKYC, it appears the technology was developed before 2024. The technology created by ProKYC is targeting MFA identity verification by creating full synthetic identities, comprised of both the fraudulent ID document and a video of the face in the ID photo. Cybercriminals are leveraging this technology to create new, verified accounts that are then used for theft, money laundering, mule accounts, and other criminal activity.
How does ProKYC synthetic identity fraud work?
ProKYC charges $629 for an annual subscription and allows customers to use a three-step process to enable synthetic identity fraud.
- Creating an identity document
- The identity document is virtual, as opposed to older fraud tactics which required printed documents
- ProKYC currently provides fraudulent passports, but driver’s licenses and IDs are likely to be seen in the near future
- The picture on the passport is uploaded by the user, often an AI-generated face from a third-party site, often a random face generator
- The information on the passport is often a mixture of legitimate personally identifiable information (PII) from a real person (or people) whose identity information has been leaked and completely falsified information
- Creating a selfie video
- A video is created of the AI-generated face
- The face in the video will move left to right in an attempt to trick liveness checks
- These videos often have small glitches present in many AI-generated content, such as eye or ear imperfections
- Circumventing the phone camera or webcam
- When completing the identity verification process, the user will be prompted to use their webcam or phone camera to complete the process
- ProKYC allows users to submit their false identity images and video using a virtual webcam instead
Robust solutions to prevent synthetic identity fraud
While ProKYC has enabled criminals to bypass KYC protocols successfully, robust fraud prevention methods can detect and prevent this type of synthetic identity fraud. Solutions like VeriScan’s digital identity verification platform perform hundreds of algorithmic checks to ensure both the identity document and user are legitimate.
Fake ID detection to prevent synthetic identity fraud
Fake ID documents vary in their believability. While some are clearly fraudulent, featuring egregious errors, AI has created more authentic-seeming documents. It is essential that KYC processes not only look for basic errors in formatting and barcode but also perform more in-depth checks, like front/back crossmatching, which often catches fake identity documents when the data from the barcode does not match the information printed on the identity document.
Third party database checks to prevent synthetic identity fraud
One of the most foolproof methods of catching synthetic identity fraud is by using third party databases to verify identity. VeriScan’s identity platform can check the provided information against DMV databases, the Social Security Administration, and other database records to ensure that the identity is legitimate. This ensures that the information from the ID document is connected to a legitimate person, and is not a blend of legitimate and falsified PII.
Selfie anti-spoofing to prevent synthetic identity fraud
While the AI-generated videos are meant to trick liveness checks, facial matching equipped with anti-spoofing protocols will still detect that the video presented is not a person. Anti-spoofing processes require users to perform a series of randomly chosen actions as opposed to simply checking that the person is moving around. The videos provided by ProKYC are unable to follow this series of commands that are simple for a human, such as looking up or down when prompted, which flags these identities as fraudulent.
The future of synthetic identity fraud prevention
While this sophisticated method of fraud is currently being reported in the cryptocurrency space, fintechs will likely see this fraud method attempted soon and may have already unknowingly experienced attempts. ProKYC is the first tool of its kind widely publicized but it is likely just the first in a wave of similar technology.
As MFA becomes more standard and identity verification emerges in less-regulated industries, it is essential that all businesses verifying identity remotely are aware of these evolving fraud trends. As fraud tactics become more advanced it is essential to stay aware and ensure your cybersecurity providers are thinking ahead to prevent synthetic identity fraud.
